Hello Amos, On 29.06.2019 14:13, Amos Jeffries wrote:
I have my own website and there I did something similar - disabling TLSv1 and TLSv1.1,That is a good sign. That exact combo is in the set supported by the breaking server so it is unlikely your Squid or its OpenSSL is contributing to this particular problem.quite strange only a few sites don't work, https://www.3bg.at is an example of such; many others work as expected;That is a bit odd. Though looking at the SSL Labs report for this www.3bg.at site their restricting to only TLS/1.2 and there are many clients for which the encryption handshake does not work. <https://www.ssllabs.com/ssltest/analyze.html?d=www.3bg.at> look to the list of failures under "Handshake Simulation" and the whole list of "Not simulated clients" for comparison with UA of any of your clients having trouble connecting there.
thus only allowing TLSv1.2 here https://www.ssllabs.com/ssltest/analyze.html?d=ssl.mathemainzel.info shows the same; many failures under "Handshake Simulation" but the weird thing, this works with my Squid :-)
Squid SSL-Bump is limited to negotiating use of TLS versions and features which are supported by both itself and the client when offering things to the server. So the problem of some clients agents not supporting TLS/1.2 or the ciphers the server wants to use can make the site fail even if your Squid outbound settings support them. PS. At the technical level that exact error from OpenSSL means that some data arrived from the server at a time when only TLS alert messages were supposed to be happening.
there is also something different; when doing the following: openssl s_client -connect HOST:PORT -servername HOSTthis lasts about 1 or 2 minutes until a certificate is shown with www.3bg.at
but with my site this goes quickly withing seconds;
I suspect it could be a sign that the Internet between your proxy and that server is being MITM'd by an agent that corrupts the protocol for some reason. eg someone elses proxy rejecting the connection but getting its error response syntax wrong.
could this be a proxy on the server side? but the strange: without SSL bump or direct without squid this site works; (even my browser uses an uncommon UA string and is not the original Firefox) what strange thing is doing this bad on some sites? Thanks, Walter
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
